If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Comment

Which would only be of any use if you could guarantee that no-one else had physical access to your machine. Otherwise they could drop a modified binary in your system path to do anything they wanted.

Both LUKS full-disk encryption and /home encryption are susceptible to this problem. Neither is resistant against "Evil Maid" style attacks. Even if you boot from external media normally which contains the crypto keys (on USB or SD card or whatever), the attacker could still switch boot order to boot from a specially crafted internal partition, then corrupt your boot media, and then continue to boot from there.

If someone is targeting you specifically to steal data or deply malicious code on your systems and they can get physical access to the systems, pretty much all bets are off (unless you have one of those fancy ORWL computers, for instance).

No, there exist concepts which are at least somewhat resistant against Evil Maid scenarios. Google Chromebooks are an example.

Comment

Side note: I recently installed ubuntu on a friend's computer, and it looks like the installer doesn't offer any luks on lvm options, so we had to do it manually. I wonder what's the performance penalty of this, but I would expect it to be minimal compared to plain luks.

Comment

Both LUKS full-disk encryption and /home encryption are susceptible to this problem. Neither is resistant against "Evil Maid" style attacks. Even if you boot from external media normally which contains the crypto keys (on USB or SD card or whatever), the attacker could still switch boot order to boot from a specially crafted internal partition, then corrupt your boot media, and then continue to boot from there.

No, there exist concepts which are at least somewhat resistant against Evil Maid scenarios. Google Chromebooks are an example.

Comment

Both LUKS full-disk encryption and /home encryption are susceptible to this problem. Neither is resistant against "Evil Maid" style attacks. Even if you boot from external media normally which contains the crypto keys (on USB or SD card or whatever), the attacker could still switch boot order to boot from a specially crafted internal partition, then corrupt your boot media, and then continue to boot from there.

What if you password-protect the BIOS and only allow to boot from external media after entering the password?

Comment

Regardless of performance I have been running FDE on every single system I manage for over 20 years. My biggest threat is thieves stealing hardware then having full access to the data and even basic FDE protects against that. Recently I have been looking to move to encrypted /boot due to very real espionage threats. I don't understand why management keeps hiring Chinese spies and giving them way too much access. "This time it will be different." Idiots.

Comment

I was specifically referring to the "all bets are off" remark. If you boot a Chromebook and it does not give you the developer mode warning, then you can be reasonably sure that the verified boot process is still intact.